Dec 31 2009

9 Steps to Secure Your Wireless Access Point

A wireless access point is essentially your network's bouncer. A bouncer says to passersby, "Hey, here's someplace you want to get into, but not everyone is getting in." And like the bouncer, if that AP isn't up to the job, ruffians will flood your network. The chief challenge comes the moment the device is out of the box: You need to customize its preset vendor software configuration.

1. Dump default passwords: Every AP comes set for an administrator to gain access and tinker, but generally the initial logon requires no password or a known one. Immediately apply your agency's password policy—at minimum, an alphanumeric and special character code of no fewer than eight characters. For high-security environments, turn to automated password generators or two-factor access codes to authenticate users.

2. Max out the crypto: An AP will arrive ready to handle a few preset encryption levels. Go for the highest level a product allows—typically, no more 128-bit shared keys on current access points. It's crucial to keep in mind that for a network with multiple APs, you must set them all at the same crypto level. An older product that tops out at 104-bit keys won't work with one set to 128—you'll have to go with 104 throughout.

3. Rotate the keys: Vendors often create default key sets for shared-key authentication between the AP and wireless devices trying to access the network. You'll want to change these up and keep changing them on a regular basis.

4. Rein in the reset: Beware of the reset function because it generally reverts a device to the factory defaults—making your network vulnerable to intrusion. Make sure this function is off-limits to everyone but systems administrators. This requires two things: physical security for the devices because APs often have depressed buttons to invoke reset and software-controlled access for devices that allow remote reset.

5. Address the MAC addresses: You can create unique addresses for end-user devices that you will let access your network. By using Medium Access Control protocol addresses, you will know who is trying to get on, who is on and if someone not authorized to gain access pings your AP. The sysadmin creates an access control list of acceptable MAC ACL addresses that the AP then uses to accept or reject would-be users.

6. Rename your network and don't broadcast its SSID: Every AP will come with what is essentially a default name, the service set identifier or SSID, that then becomes the 32-byte ID for your wireless LAN. The defaults used by vendors are well-known so you need to change the SSIDs on your APs—but don't give this change a lot of security credence because smart hackers can easily sniff SSIDs. But the change will keep out random unwanted users and less-sophisticated hackers. Secondly, disable the broadcast function that announces the 0-byte character of your ID and makes it possible for a hacker to hit on your network using a probe request to locate wireless networks in a given area.

7. Announce your presence quietly: Each AP sends a signal so wireless devices can find it to gain access. But you can maximize the timing between blasts from your signal beacon so that your AP's not blaring frequently as if to announce: "Here's a wireless node. Everybody come on in." It will be much tougher for scanning hackers to passively home in on your network if you set the beacon signal as high as possible—typically 67 seconds.

8. Be stringent with SNMP: Only keep Simple Network Management Protocol agents functional on your AP if they are at SNMP Version 3. Versions 1 and 2 make it possible for hackers to manipulate the agents and weasel their way around the AP and onto your network. SNMP 3 has bonus features because it will let you monitor activity on your WLAN and troll for intruders.

9. Down with DHCP: You can block breaches to your wired networks via your WLAN by foregoing use of Dynamic Host Control Protocol servers. A DHCP server automatically assigns temporary Internet Protocol addresses to devices that have gained access so that users can then access other networks. But the DHCP server can't validate the users to which it gives IP addresses, so if a hacker gets through your first line of defense, your other systems become vulnerable. Instead, sysadmins should set the addresses for your users' wireless devices.

Source: National Institute of Technology